Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Launch Templates for Auto Scaling Groups

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that all your Amazon Auto Scaling Groups (ASGs) are using launch templates instead of launch configurations. Launch templates offer more flexibility, versioning, support for new EC2 instance types, and several advanced features compared to launch configurations.

This rule can help you work with the AWS Well-Architected Framework.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Starting in 2023, launch configurations no longer support new Amazon EC2 instance types released after December 31, 2022. As a result, it is recommended to use launch templates instead when deploying Auto Scaling Groups (ASGs). Launch templates offer several advantages over launch configurations: easy settings specification using JSON or YAML files, support for multiple instance versions for testing or deploying various environments, and access to the latest Amazon EC2 launch wizard for additional instance configuration options.

Audit

To determine if your Auto Scaling Groups (ASGs) are utilizing launch templates, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

04 Select the Auto Scaling Group (ASG) that you want to examine.

05 Choose the Details tab and search for the Launch template section. If there is no Launch template section listed on the Details panel, instead the Launch configuration section is displayed, the selected Auto Scaling Group (ASG) is not using a launch template to define the Amazon EC2 instances to launch.

06 Repeat steps no. 4 and 5 for each Auto Scaling Group available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to list the name of each Auto Scaling Group (ASG) available in the selected AWS region: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --output table
  --query 'AutoScalingGroups[*].AutoScalingGroupName'

02 The command output should return a table with the requested ASG names: 

---------------------------
|DescribeAutoScalingGroups|
+-------------------------+
|  cc-web-production-asg  |
|  cc-internal-app-asg    |
+-------------------------+

03 Run describe-auto-scaling-groups command (OSX/Linux/UNIX) to describe the launch template associated with the Auto Scaling group (ASG) that you want to examine: 

aws autoscaling describe-auto-scaling-groups
  --region us-east-1
  --auto-scaling-group-name cc-web-production-asg
  --query 'AutoScalingGroups[*].LaunchTemplate'

04 The command output should return the information available for the launch template: 

[]

If the describe-auto-scaling-groups command output returns an empty array, i.e. [], as shown in the output example above, the selected Auto Scaling Group (ASG) is not using a launch template to define the Amazon EC2 instances to launch.

05 Repeat steps no. 3 and 4 for each Auto Scaling Group available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that your Amazon Auto Scaling Groups (ASGs) are using launch templates instead of launch configurations, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Instances, select Launch Templates, and choose Create launch template to create a new launch template:

04 On the Create launch template setup page, provide the following details:

  1. For Launch template name - required, provide a unique name for the launch template.
  2. For Template version description, enter a short description for the template version.
  3. Under Auto Scaling guidance, select the Provide guidance to help me set up a template that I can use with EC2 Auto Scaling checkbox.
  4. Choose the AMI for the new launch template from the Application and OS Images (Amazon Machine Image) - required section. If your image is not in the Amazon Machine Image (AMI) list, choose Browse more AMIs to find your AMI.
  5. For Instance type, select the instance type required by the Auto Scaling Group (ASG).
  6. For Key pair (login), select an existing key pair from the Key pair name dropdown list or choose Create new key pair to create a new one.
  7. For Network settings, configure the networking settings (subnet, security group, network interface), based on your application requirements.
  8. For Storage (volumes), specify the storage options for the EC2 instances.
  9. For Resource tags, choose Add new tag to add resource tags.
  10. For Advanced details, configure the advanced settings such as IAM instance profile, CloudWatch monitoring, termination protection, based on your application requirements.
  11. Choose Create launch template to deploy your new EC2 launch template.

05 In the main navigation panel, under Auto Scaling, select Auto Scaling Groups.

06 Select the Auto Scaling Group (ASG) that you want to reconfigure, choose Actions, and select Edit.

07 Choose Switch to launch template from the Launch configuration section, and choose the name of your new EC2 launch template from the Launch template dropdown list.

08 Choose Update to associate your new launch template with the selected Auto Scaling Group (ASG).

09 Repeat steps no. 4 – 8 for each ASG that you want to reconfigure, available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-launch-template command (OSX/Linux/UNIX) to create a new Amazon EC2 launch template for your Auto Scaling Group (ASG): 

aws ec2 create-launch-template 
  --region us-east-1 
  --launch-template-name web-asg-launch-template 
  --version-description "Ver. 1.0" 
  --launch-template-data '{"NetworkInterfaces":[{"DeviceIndex":0,"AssociatePublicIpAddress":true,"Groups":["sg-01234abcd1234abcd"],"DeleteOnTermination":true}],"ImageId":"ami-01234abcd1234abcd","InstanceType":"t3.large","TagSpecifications":[{"ResourceType":"instance","Tags":[{"Key":"environment","Value":"production"},{"Key":"purpose","Value":"auto-scaling group"}]},{"ResourceType":"volume","Tags":[{"Key":"environment","Value":"production"}]}],"BlockDeviceMappings":[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":50}}]}'

02 The command output should return the information available for the new aunch template: 

{
	"LaunchTemplate": {
		"LaunchTemplateId": "lt-0abcd1234abcd1234",
		"LaunchTemplateName": "web-asg-launch-template",
		"CreateTime": "2023-07-28T18:53:05+00:00",
		"CreatedBy": "arn:aws:sts::123456789012:assumed-role/ec2-manager/i-0abcd1234abcd1234",
		"DefaultVersionNumber": 1,
		"LatestVersionNumber": 1
	}
}

03 Run update-auto-scaling-group command (OSX/Linux/UNIX) to associate the new EC2 launch template with your Auto Scaling Group (ASG) in order to replace the existing launch configuration (the command does not produce an output): IMPORTANT: The following reconfiguration process can impact application availability. Ensure that the selected Auto Scaling Group is NOT currently used in production or for critical operations. 

aws autoscaling update-auto-scaling-group 
  --region us-east-1 
  --auto-scaling-group-name cc-web-production-asg 
  --launch-template LaunchTemplateId=lt-0abcd1234abcd1234,Version=1

04 Repeat steps no. 1 – 3 for each ASG that you want to reconfigure, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.

References

Publication date Aug 31, 2023

Related AutoScaling rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Use Launch Templates for Auto Scaling Groups

Risk Level: High